Further Reading: The lawful basis of processing

All processing of personal data must be subject to one of the following:

  • with the consent of the individuals concerned
  • necessary to meet a contractual obligation between your business and the individual
  • necessary to meet a legal obligation under EU or national legislation
  • necessary for the performance of a task carried out in the public interest
  • necessary to protect the vital interests of an individual
  • necessary for your business’s legitimate interests, or those of a third party provided those interests do not override the fundamental rights and freedoms of the individual concerned

Necessity and proportionality are intrinsically linked key features applied throughout GDPR.

Necessity means the minimum and least intrusive processing required to satisfy the identified legitimate purpose, whereas the principle of proportionality requires consideration of appropriateness of processing (with or without safeguards) bearing in mind the principles of data protection. In other words, does the end justify the means.

Section 8 of the DPA 2018 assists with the meaning of ‘public interest’. It includes processing in the administration of justice.

When creating a Record of Processing Activities (Article 30) identify the appropriate lawful basis for the processing for each data flow. If relying on legitimate interests, carry out an assessment and record the findings


Article 6 and Recitals (40) to (49) of the GDPR

Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/E

Section 8 of the DPA 2018 http://www.legislation.gov.uk/ukpga/2018/12/section/8/enacted

EDPB Guidelines on Consent 05/2020 EDPB Guidelines on Contract 02/2019

https://edpb.europa.eu/our-work-tools/our-documents/smjernice/guidelines-22019-processing- personal-data-under-article-61b_en

EDPB Guidelines on proportionality https://edps.europa.eu/sites/edp/files/publication/19-12- 19_edps_proportionality_guidelines2_en.pdf

EDPB Guidelines on necessity https://edps.europa.eu/sites/edp/files/publication/17-06-01_necessity_toolkit_final_en.pdf

ICO guidance including interaction of lawful bases with the application of rights and further links https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/lawful-basis-for-processing/